From: Kees Cook <keescook@chromium.org>
To: Nick Desaulniers <ndesaulniers@google.com>
Cc: linux-hardening@vger.kernel.org,
"Andy Shevchenko" <andy@kernel.org>,
"Cezary Rojewski" <cezary.rojewski@intel.com>,
"Puyou Lu" <puyou.lu@gmail.com>,
"Mark Brown" <broonie@kernel.org>,
"Josh Poimboeuf" <jpoimboe@kernel.org>,
"Peter Zijlstra" <peterz@infradead.org>,
"Brendan Higgins" <brendan.higgins@linux.dev>,
"David Gow" <davidgow@google.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Alexander Potapenko" <glider@google.com>,
"Zhaoyang Huang" <zhaoyang.huang@unisoc.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Geert Uytterhoeven" <geert+renesas@glider.be>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alexander Lobakin" <aleksander.lobakin@intel.com>,
"Liam Howlett" <liam.howlett@oracle.com>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Dan Williams" <dan.j.williams@intel.com>,
"Rasmus Villemoes" <linux@rasmusvillemoes.dk>,
"Yury Norov" <yury.norov@gmail.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Sander Vanheule" <sander@svanheule.net>,
"Eric Biggers" <ebiggers@google.com>,
"Masami Hiramatsu (Google)" <mhiramat@kernel.org>,
"Andrey Konovalov" <andreyknvl@gmail.com>,
"Linus Walleij" <linus.walleij@linaro.org>,
"Daniel Latypov" <dlatypov@google.com>,
"José Expósito" <jose.exposito89@gmail.com>,
linux-kernel@vger.kernel.org, kunit-dev@googlegroups.com
Subject: Re: [PATCH v2 06/10] fortify: strcat: Move definition to use fortified strlcat()
Date: Tue, 16 May 2023 14:15:01 -0700 [thread overview]
Message-ID: <202305161411.C0ED6E86F4@keescook> (raw)
In-Reply-To: <CAKwvOdk+CT6S6LjLb2aRVsMSgnsyHRcoT-yyifNTW8vVVwTA-A@mail.gmail.com>
On Tue, Apr 18, 2023 at 11:09:41AM -0700, Nick Desaulniers wrote:
> On Fri, Apr 7, 2023 at 12:27 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > Move the definition of fortified strcat() to after strlcat() to use it
> > for bounds checking.
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > include/linux/fortify-string.h | 53 +++++++++++++++++-----------------
> > 1 file changed, 26 insertions(+), 27 deletions(-)
> >
> > diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> > index 8cf17ef81905..ab058d092817 100644
> > --- a/include/linux/fortify-string.h
> > +++ b/include/linux/fortify-string.h
> > @@ -151,33 +151,6 @@ char *strncpy(char * const POS p, const char *q, __kernel_size_t size)
> > return __underlying_strncpy(p, q, size);
> > }
> >
> > -/**
> > - * strcat - Append a string to an existing string
> > - *
> > - * @p: pointer to NUL-terminated string to append to
> > - * @q: pointer to NUL-terminated source string to append from
> > - *
> > - * Do not use this function. While FORTIFY_SOURCE tries to avoid
> > - * read and write overflows, this is only possible when the
> > - * destination buffer size is known to the compiler. Prefer
> > - * building the string with formatting, via scnprintf() or similar.
> > - * At the very least, use strncat().
> > - *
> > - * Returns @p.
> > - *
> > - */
> > -__FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2)
> > -char *strcat(char * const POS p, const char *q)
> > -{
> > - const size_t p_size = __member_size(p);
> > -
> > - if (p_size == SIZE_MAX)
> > - return __underlying_strcat(p, q);
> > - if (strlcat(p, q, p_size) >= p_size)
> > - fortify_panic(__func__);
> > - return p;
> > -}
> > -
> > extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen);
> > /**
> > * strnlen - Return bounded count of characters in a NUL-terminated string
> > @@ -435,6 +408,32 @@ size_t strlcat(char * const POS p, const char * const POS q, size_t avail)
> > return wanted;
> > }
> >
> > +/* Defined after fortified strlcat() to reuse it. */
>
> I don't follow; the previous location was already defined in terms of
> calls to strlcat. Why is this patch necessary?
>
> Could this be fixed in 5/10
> https://lore.kernel.org/linux-hardening/20230407192717.636137-5-keescook@chromium.org/
> by just putting strlcat in the expected place in the first place?
I wanted to collect all the str*cat functions together.
> > +/**
> > + * strcat - Append a string to an existing string
> > + *
> > + * @p: pointer to NUL-terminated string to append to
> > + * @q: pointer to NUL-terminated source string to append from
> > + *
> > + * Do not use this function. While FORTIFY_SOURCE tries to avoid
> > + * read and write overflows, this is only possible when the
> > + * destination buffer size is known to the compiler. Prefer
> > + * building the string with formatting, via scnprintf() or similar.
> > + * At the very least, use strncat().
> > + *
> > + * Returns @p.
> > + *
> > + */
> > +__FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2)
> > +char *strcat(char * const POS p, const char *q)
> > +{
> > + const size_t p_size = __member_size(p);
> > +
>
> This drops the `p_size == SIZE_MAX` guard. Might it be faster at
> runtime to dispatch to __underlying_strcat rather than __real_strlcat
> in such cases?
I wanted to avoid repeating the same checks, so since strlcat() already
does the right checking, I avoided repeating it here.
> What's the convention for __underlying_ vs __real_ prefixes in
> include/linux/fortify-string.h?
__underlying may be wrapped by K*SAN before being implemented via
__builtin, where as __real is used for things that aren't wrapped and/or
aren't available with a __builtin (e.g. strscpy).
--
Kees Cook
next prev parent reply other threads:[~2023-05-16 21:15 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-07 19:27 [PATCH v2 00/10] fortify: Add KUnit tests for runtime overflows Kees Cook
2023-04-07 19:27 ` [PATCH v2 01/10] kunit: tool: Enable CONFIG_FORTIFY_SOURCE under UML Kees Cook
2023-04-07 23:33 ` Nick Desaulniers
2023-04-07 23:42 ` Nick Desaulniers
2023-05-10 19:24 ` Kees Cook
2023-05-22 19:43 ` Nick Desaulniers
2023-05-22 20:14 ` Kees Cook
2023-05-07 15:20 ` Kees Cook
2023-04-07 19:27 ` [PATCH v2 02/10] fortify: Allow KUnit test to build without FORTIFY Kees Cook
2023-07-02 15:07 ` Geert Uytterhoeven
2023-07-03 19:47 ` Kees Cook
2023-04-07 19:27 ` [PATCH v2 03/10] string: Add Kunit tests for strcat() family Kees Cook
2023-04-07 19:27 ` [PATCH v2 04/10] fortify: Use const variables for __member_size tracking Kees Cook
2023-04-18 17:58 ` Nick Desaulniers
2023-04-07 19:27 ` [PATCH v2 05/10] fortify: Add protection for strlcat() Kees Cook
2023-04-07 19:27 ` [PATCH v2 06/10] fortify: strcat: Move definition to use fortified strlcat() Kees Cook
2023-04-18 18:09 ` Nick Desaulniers
2023-05-16 21:15 ` Kees Cook [this message]
2023-04-07 19:27 ` [PATCH v2 07/10] fortify: Split reporting and avoid passing string pointer Kees Cook
2023-04-08 2:26 ` kernel test robot
2023-04-20 15:52 ` Alexander Lobakin
2023-04-07 19:27 ` [PATCH v2 08/10] fortify: Provide KUnit counters for failure testing Kees Cook
2023-04-18 18:20 ` Nick Desaulniers
2023-04-07 19:27 ` [PATCH v2 09/10] fortify: Add KUnit tests for runtime overflows Kees Cook
2023-04-08 0:33 ` kernel test robot
2023-04-18 18:27 ` Nick Desaulniers
2023-04-07 19:27 ` [PATCH v2 10/10] fortify: Improve buffer overflow reporting Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202305161411.C0ED6E86F4@keescook \
--to=keescook@chromium.org \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=aleksander.lobakin@intel.com \
--cc=andreyknvl@gmail.com \
--cc=andy@kernel.org \
--cc=brendan.higgins@linux.dev \
--cc=broonie@kernel.org \
--cc=cezary.rojewski@intel.com \
--cc=dan.j.williams@intel.com \
--cc=davidgow@google.com \
--cc=dlatypov@google.com \
--cc=ebiggers@google.com \
--cc=geert+renesas@glider.be \
--cc=glider@google.com \
--cc=jose.exposito89@gmail.com \
--cc=jpoimboe@kernel.org \
--cc=kunit-dev@googlegroups.com \
--cc=liam.howlett@oracle.com \
--cc=linus.walleij@linaro.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=mhiramat@kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=puyou.lu@gmail.com \
--cc=rdunlap@infradead.org \
--cc=sander@svanheule.net \
--cc=vbabka@suse.cz \
--cc=yury.norov@gmail.com \
--cc=zhaoyang.huang@unisoc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.